Krebs on Security

In-depth security news and investigation

Don’t Get Sucker Pumped

Gas pump skimmers are getting craftier. A new scam out of Oklahoma that netted thieves $400,000 before they were caught is a reminder of why it’s usually best to pay with credit versus debit cards when filling up the tank.

The U.S. Attorney’s office in Muskogee, Okla. says two men indicted this month for skimming would rent a vehicle, check into a local hotel and place skimming devices on gas pumps at Murphy’s filling stations located in the parking lots of Wal-Mart retail stores. The fraud devices included a card skimmer and a fake PIN pad overlay designed to capture PINs from customers who paid at the pump with a debit card.

A PIN pad overlay device for gas pumps. Photo; NewsOn6.com

According to their indictment (PDF), defedants Kevin Konstantinov and Elvin Alisuretove would leave the skimming devices in place for between one and two months. Then they’d collect the skimmers and use the stolen data to create counterfeit cards, visiting multiple ATMs throughout the region and withdrawing large amounts of cash. Investigators say some of the card data stolen in the scheme showed up in fraudulent transactions in Eastern Europe and Russia.

As the Oklahoma case shows, gas pump skimmers have moved from analog, clunky things to the level of workmanship and attention to detail that is normally only seen in ATM skimmers. Investigators in Oklahoma told a local news station that the skimmer technology used in this case was way more sophisticated than anything they’ve seen previously.

Increasingly, pump skimmer scammers are turning to bluetooth-enabled devices that connect directly to the pump’s power source. These skimmers can run indefinitely, and allow thieves to retrieve stolen card data wirelessly while waiting in their car at the pump.

Below is one such card skimming device, pulled off a compromised gas station pump late last year in Rancho Cucamonga, Calif.

A new, unaltered generic gas pump card acceptance slot. The device on the right has a bluetooth skimming device attached.

Pump skimmers can be fairly cheap to assemble. The generic gas pump card acceptance device pictured left in the image above (Panasonic ZU-1870MA6t2) can be purchased for about $74. The pump skimmer scammers must love this model: It almost looks like it’s designed to hold additional electronics.

Investigators say the individuals responsible for these pump scams are able to ply their trade because a great many pumps can be opened with a handful of master keys. In the end, it comes down to a cost decision by the filling station owners: This story from Fox News about a rash of pump skimmers discovered earlier this month in Minnesota says that it costs filling stations about $450 to re-key eight pumps.

This entry was posted on Monday, July 29th, 2013 at 10:43 am and is filed under All About Skimmers.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

@Richard, yes, skimming around the globe will be impacted once the US adopts EMV cards and rolls out Chip and PIN terminals. We’re the last major holdout country, and once our roll out is complete it will enable banks worldwide to remove their US-compatible mag stripes.

EMV is not perfect, but many of the weaknesses that have been found have been addressed without having to roll out new gear. The remaining known vulnerabilities are very difficult to exploit, and won’t affect customers on the same scale as the skimming of card data is today.

Only if the US skips offline SDA, and moves directly to DDA/CDA – or skips offline completely, which I’ve heard rumours is the case. By going online only you’ve have a major problem during network blackouts, so I don’t see that as a good solution.

Unfortunately DDA/CDA is a bit more expensive, particularly due to added RSA encryption on the cards, so I wouldn’t be surprised if the us goes for SDA..

Why would using a credit card be any safer? A skim is a skim, ATM card, debit card, amex, etc.

The quality shown in the article is just the keyboard used to obtain pins or zip codes (sometimes used to ‘validate’ credit cards, which do not have pins). The actual card skimmer that Konstantinov & Alisuretove used was not shown. One can only assume that it is of the same quality and attention to detail as the keyboard.

Note, to place the keyboard, one would need to have access to the inside of the pump to connect the edge connector (as pictured). One would wonder how someone did not see them, even if they did have one of the master keys mentioned. Also, the state ‘weights & measures department’ seal would have been broken.

Most debit cards come with a zero liability policy, it is true. But they draw straight from your checking account, so while you may ultimately get that money back, there will likely be a decent delay, during which time you’re out that cash. Also, if someone steals $1000 from your checking and you don’t have $1,000 left in it, other checks you may have recently written will bounce, causing a chain reaction of fees and other headaches that aren’t as easily reversed.

This is especially troublesome for people who are on the road, perhaps on a trip or vacation. Being unable to draw on your cash while on the road could be a major inconvenience.

I believe if you use your Debit Card as a Credit Card not using a PIN you have the same protections as a normal Credit Card plus most banks don’t charge you a fee to make a purchase this way. The sad thing is the merchant has to pay a fee but they do for every Credit Card purchase any way

Which card you would use, debet or credit, shouldn’t be a problem for you if you would divide your costs into fixed and variable.

Choose an account without cards to receive your income and to pay your fixed costs, like housing, water, electricity etc. Write an amount to the variable costs account, which has a card, to pay for gas, leisure etc. Also a way to budget yourself and to prevent overspending…

The other downside to having a debit card skimmed is that your bank accounts can be frozen… and not just the account you attempted to use. They will freeze even the accounts attached to the card. This means you are unable to access cash, pay the mortgage, car payments, other bills, etc. If you have your credit card frozen chances are you have another credit card you can use in the meantime.

People asking why credit is safer than debit: it’s law vs. policy. Credit companies are *required by law* to limit the liability of their cardholders against this kind of fraud.

Banks may have a *policy* to do so with debit cards, but that policy doesn’t have compliance or law behind it, and so getting your money back may be significantly harder than you imagine. And a lot of banks don’t have good policies to begin with.

If you use a credit card, and look carefully at your credit card statements, you can report any fraudulent charges without having any money withdrawn from your account. With a debit card, the money is withdrawn right away, and as BK wrote, it can take a while for the money to be returned to you.

This is also why it’s best not to use a debit card to make online purchases.

Ask that of your typical Murphy’s (or any frachise/satellite gas station) attendant. After 99 unexciting checks, they just won’t anymore. It’s a waste of their time, even if they are trained to spot the telltale signs.

Corporate may even make the declaration, but I’d be shocked if even half the installations would bother.

Not saying your suggestion is bad; it’s just not something I could realistically rely upon.

Brian, thank you for all of the great research you are doing. I’m wondering if you have ever thought of writing an article about why the vast majority of cyberthieves seem to be from Russia and Ukraine.

Interesting that they target the Murphy gas stations in the Walmart stores. The store close to my residence closes at 12 midnight and opens at 6:00 am, and yes they have cameras ….. they are probably tired of looking back at the tapes of people trying to get gas when the pumps are closed. …. very clever. By the way great reminder on the use of credit vs. debit, I tell that to my student all the time.

I don`t know what to do now !!??
I only have one credit card and i always buy my milk from a local gas pump .Now im Doomed they going to skim my card and use all the money i have .Im so scared . Please help me,send me money by Western union .Im a Vietnam veteran without any legs and if they do this to me i will take the law in to my own hands trust me .God bless Kazakhstan the biggest potassium exporter in the world .i hope my legs will grow back one day so i can dance again like a Michael Jackson .

This research and explanation shows three things:
1. With parts forgery this good, then there is nothing a person can do to protect themselves. The data will be stolen and you won’t know it until you have to deal with credit rating agencies that do not respond.
2. Businesses really don’t care if people have credit problems as long as the business gets paid.
3. Until businesses have legal and economic incentives to ensure transactions are secure and their machines stay secure, they will do nothing. That a machine can be physically modified without notice of alteration should be negligence with quadruple damages as a fine.

So all the criminal underworld has to do is convince the attendant to install a modified card machine inside the building. I know I have seen reporting on this in the past. It was inside grocery stores I think.

Brian, related to 160 mil. credit card thefts, DOJ indictment last week.
NYT reported that a stolen US credit card details sold for only $10/apiece vs. a stolen European credit card (presumably protected with an EMV chip) would sell for $50 “due to higher security”.
If the authorized Euro cardholder still has his card in his pocket, how can that card’s stolen Euro numbers be operable by the thief without the original chip?
Thanks.

Because even cards with chip-and-PIN in them (most, not all) have mag stripes on the back for backward compatibility — mainly for use in the United States and other countries that have not yet migrated to chip-and-PIN.

I have documented this time and again when writing about ATM fraud in Europe. e.g:

“The latest report from EAST continues to emphasize that most card fraud stemming from skimming incidents in Europe is in fact perpetrated outside of Europe, particularly in the United States, the Dominican Republic, Brazil, Mexico, Peru and Thailand.

EAST posits that a big reason for this trend is the broad adoption in Europe for a bank card security standard known as EMV (short for Europay, MasterCard and Visa), more commonly called “chip-and-PIN.” Most European banks have EMV-enabled cards, which include a secret algorithm embedded in a chip that encodes the card data, making it more difficult for fraudsters to clone the cards for use at EMV-compliant terminals. Because chip-and-PIN is not yet widely supported in the United States, skimmer scammers who steal card data from European ATM users tend to ship the stolen card data to buyers or co-conspirators in the United States, where the data is encoded onto fabricated cards and used to pull cash out of U.S. ATMs.

EAST notes that in ten European countries, one or more card issuers have now introduced some form of “geo-blocking,” by which payment cards are blocked for usage outside of designated EMV Chip liability shift areas. The organization found that issuers which have adopted such tactics continue to show a decline in skimming incidents and in skimming related losses.”

I can confirm that my bank is blocking the usage of my Maestro (debit) card to “geographical Europe” (it’s somewhat flexible and includes countries like Russia and Kazakhstan but still). If I want to use it somewhere else I have to request it from the bank.

People have a hard enough time spotting a fake iPhone these days. I think the point is that you may not be able to spot them, merchants and customers should both be taking steps to minimize their overall exposure.

Although devices present a major issue for both consumers and merchants. I have not seen anyone address Reg E and how that protects consumers that use any credit or debit card with the Visa logo. As long as the transaction does not involve your pin. You are protected under Visa’s guidelines. It’s only when the pin is used that any considerations for a refund. Would be taken as a loss by the bank. Visa gives you up to 120 days from the transaction date to dispute. Even the bank I work for will usually always refund charges outside of 120 days.

A debit card WITH a Visa logo, is a debit card.
A debit card WITHOUT a Visa logo, is a debit card.
A debit card WITH a Visa logo, does NOT convert it into a credit card, with its much greater consumer protections.
A debit card withdraws funds from a checking account, not a loan account.
A debit card WITH a Visa logo, merely means the transaction CAN go via the Visa network, taking 1-2 days longer to be posted on your checking account.
A US issued debit card, with or without a Visa logo, is today a risky way to get cash, or pay for goods, except inside the issuer’s lobby. See EMV chip above.

With this setup, there just isn’t any way to identify that there is a skimmer installed without having access to the inside of the pump because visibly the module in the picture is identical to the original and possibly was stolen from another pump and then modified. The device pictured was recovered only a few miles from my home.

I think Arco has a better solution to this, they have pay stations that accept cash and ATM cards. The card reader grabs the card and scans it internally and spits the card back out, but the opening is flush with the entire housing. It would be impossible to overlay something on this machine. I am not certain how easy it would be insert a skimmer though the slot and not have it impede the card path. Also as this machine accepts cash, I believe that access to the inside of the machine would be more tightly controlled.

1: Yes, always use a credit card, not debit. It’s better that you keep the money in your own hands while the disputed charges are resolved than waiting for the bank to refund you. Several years ago, my wife’s debit card was stolen. We spotted the charges immediately, but the bank (PNC – may they lose all their customers quickly) refused to cancel her card or block the activity until the fraudulent charges all cleared (and the account was drained.) It was over a month (including many threatening letters from lawyers) before they refunded her money. And yes, I’m aware of the fact that their actions were in violation of Federal law.

(FWIW, I will never do business with PNC ever again. If they should somehow become the last bank on Earth, I’ll switch to keeping cash in a box under my bed before opening an account with them again.)

2: I can’t tell you how many gas pumps have the security seal torn, or detached or just missing. Even the state weights-and-measure stickers are often worn out and faded. None of the people who should take this seriously seem to care.

3: Many gas stations (at least in Virginia where I live) will leave the pumps on and will allow pay-at-the-pump sales when the office is closed. So there is plenty of time for someone to install a skimmer after hours without looking suspicious – especially if he is filling his tank at the same time.

4: I log on to my bank’s web site every morning to review the previous day’s charge record. If fraudulent charges start appearing, I will spot it within 24 hours. I can then have the bank cancel the card and dispute the fraudulent charges. And because it’s a credit, not debit card, I won’t be out all that money while the disputes are resolving.

Interesting about these card readers 4 months ago I went to get gas in Pennsylvania and when I went to dial my pin the touch panel flopped into the pump. Seeing how it was very similar to what you show in your pic I”m wondering if I was correct when I told the attendant that they should get a tech to check the machine since it looked like a skimmer was installed. Naturally I was met with a vacant look with glazed eyes when I explained it to them.

The biggest reason these schemes work is that Gilbarco and Wayne key their pumps with the same keys they have been using since they began locking pumps. I have keys from when I worked at a gas station in the early 1970s that will still open Wayne pumps made today. Some large chains have started requesting different keys, but that is still rare. In addition, Gilbarco and Wayne are now designing their pumps so that the external keys only allow access to change receipt paper and nothing else.

Debit cards are evil. You have to fight to get your money back. Several large banks have begun to make their customers jump through hoops to get remembursements on PIN based transactions. I have not actually observed the letter but several folks that have complained to my office stating that the Bank won’t except the claim until the Police arrest someone – or- They must know the person and did not protect their card.

Most customers don’t realize that they are responsible NOT to give out their PIN number or loan their card. If the banks can substaniate any violation of the policy, they will deny the claim. The custimers do have a responsibility to also protect their money. But most arn’t that …… Well lets just say that they don’t do it.

Remember, it is your money and Identity. Don’t rely on someone else to protect your money… Use your cards wisely and not at gas pumps.

Easy Fix fr Canada
Pin the door on the pump with a failsafe switch that kills the pump when an intrusion has occurred at any time day or night. A warning light on attendants console would indicate door was tampered/opened. This would force a pump service teck to look inside before putting a pump back into service’ Password protect the reset.